The security landscape in the 21st century differs immensely from that of the 20th, I entered the world of security and risk management 22 years ago during a time where the view of security was the stereotypical ex-military/ex-police staff who were believed to be the font of all knowledge because of the “vast experience” that they had developed during their careers. Over time it has changed and my view has changed with it, the current security field requires a new type of security and risk manager, these professionals need to have the skills, experience, and knowledge to develop and instigate a security risk management strategy that not only makes sense to the business but offers the right level of resilience across the entire organization.
The major threat to security within the UK during the 20th century has been acknowledged to be principally based around the idea that the major threat to the corporate environment was that terrorism be it home-grown (in the case of the UK usually the republican or loyalist) or on the rare occasion, foreign-related was the major risk. In the US it was the protection against the theft of company assets and the prevention of labor issues until the latter part of the century when after 9/11 terrorism became the focus of many corporate security risk managers in the country. As we have moved into the 21st century the threat to security has massively diversified, “the underlying drivers of insecurity create both physical and cyber risk. And, indeed, the two kinds of risks are converging” (The Economist Intelligence Unit, 2017).
Doing business in the 21st century is getting more and more complicated; globalization has changed how the corporate life is now being lived, during the 20th-century corporations could comfortably build a significant empire in which to operate without too much interference from, or reliance on other organizations, this led to the creation of the global organizations that we see today such as IBM, Ford Motor Company, Microsoft and the like. In the latter part of the 20th century we started to see the development of the worldwide web into a place where commerce was being done as opposed to being used for the transfer of academic knowledge, this, in turn, has meant that interrupter organizations such as Amazon, eBay, and Alibaba have grown over the last 20 years to become global behemoths operating in every aspect of life. This rapid interconnected growth of the global IT-based companies’ in comparison to the slow organic growth of the traditional industrial type organizations brings with it a vast amount of complex potential crises, that even a well thought out and properly delivered security program will be unable to fully protect a truly global organization from.
One needs to only look at the Covid-19 Pandemic and the resulting issues worldwide around PPE and the provision of IT equipment globally to see this. Whilst addressing these concerns are not normally seen as the remit of the security team, these are things that need to be taken into account as the causes of potential crises are becoming more varied due to the effects of true globalization of companies. In fact, in 2017 companies were reporting that they believed that the top eight biggest root causes of insecurity within the next five years would be Political or ideological differences within countries or across international boundaries, Poverty/High levels of income equality, Scarcity of key resources, Low levels of education, Hostility to globalization, Disruption to migration flows, Pollution/Environmental degradation and finally Widespread human rights violations (The Economist Intelligence Unit, 2017). Now, these are not those risks or crises that would have ever been associated with 20th-century security and risk management, however, as the world inches ever closer to true globalization these are factors that must be addressed as potential flashpoints for companies to deal with. After all, if you are truly a global player and one element of your workforce discovers that they are on much less than another part of the organization whilst doing similar roles the company can expect workplace strife which could potentially undermine their ability to function or deliver their products to market. Another issue that will be likely to impact a truly global organization is the global environmental degradation mentioned in the Economist Intelligence Unit report of 2017. As the world continues to warm the climate change issue is becoming even more decisive and important. The flooding of major cities is something that is becoming more prevalent, cities such as Paris, London, Dublin, Rome which were all built on major rivers for good commercial and connectivity reasons now find themselves in peril of major flooding, and the first, second and third-order effects that this flooding brings with it. Therefore, any corporate body located within these types of the city needs to ensure that this is a major part of their security and resilience strategy or face the potential issues and crises that their lack of planning and coherent planning may bring if such flooding took place.
The integration into the cyber domain to which any global organization needs to be connected to function is something that the security manager of the early 20th century would not have even considered as part of their remit, and until recently would have still sat within the IT team rather than within a dedicated or joint security environment.
In the modern media age with 24-hour news and constant access to news outlets via the internet, it is very difficult to see how any organization can attempt to “hide” any dealing of a crisis, and those that do are often caught out by the media, a good example of this is the TalkTalk breach in 2015. Where despite knowing that they had been hacked TalkTalk failed to inform some 4,545 customers that their personal details were considered compromised and it was only through an investigation by a BBC consumer show that these were identified (Ashford, 2019). The damage reputationally and financially to TalkTalk is still being felt including a significant fine by the Information Commissioners Office in the UK of £400,000 one of the highest ever awarded by the ICO. This illustrates that whilst companies cannot legislate for all eventualities they should at least have considered the majority and have established a playbook by which to deal with either foreseen or unforeseen serious incidents before they become a crisis from which they may or may not recover.
In conclusion, the role of the 21st-century security and risk manager has changed dramatically over the last 100 years and continues to develop further, that said the role hasn’t changed so dramatically that the first security managers in organizations like Pinkerton’s, Chubb, and the Corps of Commissionaires would not recognize it, the original principles of physical security, personnel security and more latterly document security are still very much present. What has changed is the way that this is done, through the use of better technology and the like, the changes that will be totally unexpected by those pioneers of security in the 20th century is the way that security is now not just one team’s problem or even seen as the dirty secret that no one at the board level wanted to sully themselves with, but is a senior-level issue with which senior members of the board need to be fully engaged with and understand that the challenge for corporate security is no different from that for any function.